Nov10
1:15 pm (UTC-7)   |   by Lordian Mosuela (Threats Analyst)

This month I’ve witnessed an evolution of file infectors/viruses in manipulating system infection. The diagram below shows the development from the old malware file to its new structure:

Old Infector Structure

New Infector Structure

Notice that unlike the “old” malware structure where all malware routines are contained in a single complete module, the PE file is now stripped into three parts, with propagation and download routines thrown in the picture.

This new infection routine starts with the “mother” file infector, which essentially contains the infection procedure. This part searches for executable files, where it then adds its code.

The infected files, in turn, contain the malware’s download routine, as well as an encrypted text file. When decrypted, the said text file points to another URL from which it downloads the executable file (which is a split module of the mother file infector), thereby restarting the whole infection routine. Note that the use of encrypted text is done to create a static site where the malware author can modify the data and source URL, especially when the link is already detected by an Internet security or anti-malware product.

An example of malware using such a method is PE_LIJI.A-O (the mother file infector). Its infected files are detected as PE_LIJI.A, which, in turn, downloads malicious files detected as WORM_DROM.AI.

In addition, WORM_DROM.AI performs routines that can disable anti-malware products. It displays an error message upon the execution of the software, as shown below:

WORM_DROM.AIerror

The LIJI-DROM tandem is yet another example of how threats are getting complex (routine-wise, to avoid immediate detection), how they are using the Web to leverage their malicious motives, and how “traditional” Internet security/Web blocking solutions is not enough.

Fortunately for customers, the security industry is evolving along with these threats — what with proactive and heuristic detection, and in the case of Trend Micro Web Reputation Services. Otherwise, the cleanup for this type of file infection will take NOT only three steps.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Saturday, November 10th, 2007 at 1:15 pm and is filed under Malware . Responses are closed, but you can trackback from your own site.



Comments are closed.


Big Malware is Watching You
Yahoo! 360° Wannabe Spreads Trojan


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice